Graffiti in the digital world: How hacktivists use defacement

Activists have been featured more frequently in the news lately, with marches shining the spotlight on women’s rights and bringing about an end to gun violence, to name a few. However, the real world isn’t the only place where activism happens.

The digital realm has become a critical space for individuals to express their opinions and further their causes. While this can revolve around an informational website or video streaming platform, activism has also taken hold in the world of cybercriminals and hackers who have their own beliefs they’d like to communicate and publicize.

Enter hacktivism, activities motivated by political or other ideas spurred by hackers. In many cases, these individuals aren’t marching with colorful signs or presenting their ideas as part of civil discourse, but are taking advantage of weaknesses to splash their ideas on an array of different, legitimate websites.

Local Ohio websites defaced by hacktivists

Before we delve into the statistics and methods behind these instances, let’s take a look at a recent example.

In 2017, the websites belonging to several local Ohio organizations – including those of Governor John Kasich and his wife Karen Kasich – were hacked and defaced on a Sunday morning. According to a report from Cyberscoop, this even was not an isolated incident, and that local government sites in Maryland, Idaho, California and New York had also been defaced by hackers in the past.

The hacktivists breached the governor’s and other local entities’ websites, and replaced the original, legitimate content with a threat against the current presidential administration and other violent messages, accompanied by a logo belonging to hacking group Team System DZ.

As Cyberscoop reported, this instance and many others like it wherein attackers vandalize platforms, are considered “a lower-level form of cyberattack,” and typically come at the hands of less experienced hackers.

This group, Team System DZ, took credit for the defacement on the websites themselves as well as on Facebook, and has been vandalizing websites in this way for several years now.

Website defacement is a form of digital graffiti.

How defacement happens

Although hacktivist website defacement has been taking place for years now – and has even been featured as part of pop culture story lines in sitcoms and film – before recently, there wasn’t much research that delved into the targets, methods and motivations behind these activities.

Most of these events involved defaced websites supported by the Linux operating system, which accounted for more than 9 million defacements. Windows 2003 saw more than 1.5 million defacements, with over 400,000 and 338,000 taking place on Windows 2000 and Windows 2008, respectively. Similarly, Apache servers saw the brunt of attacks, with more than 8 million defacement instances, and more than 1.5 million hacktivist attacks took place on IIS/6.0 web servers.

In order to breach website protections and carry out defacement, hacktivists will target specific vulnerabilities to glean unauthorized access to backend supporting systems. Trend Micro found that most hacktivists (more than 2 million) leveraged file inclusion vulnerabilities to enable defacement. Other strategies included:

SQL injections – 1.26 million

Unpatched system vulnerabilities – 1.16 million

Password stealing – 1.11 million

Other types of server intrusions – 800,000

Motivations driving defacement attacks

There are numerous different aspects that can motivate hacktivists to deface a website. In many instances, the target is chosen specifically and the defacement tailored to express a certain viewpoint.

Trend Micro’s research found that many defacement episodes took place as reactions to other events. Many instances served to push an agenda held by the hacking group, to shine a light on grievances and to spread certain political messages.

#OpIsrael
This is one of the first, and longest running web defacement campaigns, and one of three major anti-Israel campaigns identified by Trend Micro researchers. #OpIsrael is one example of hacktivist activity motivated by political beliefs and shared grievances. To date, several different hacking groups have taken part in #OpIsrael, with defacements driven by the Israel – Palestine conflict.

One of the first instances of defacements as part of this campaign took place in 2012, when the regular content of myisrael.us was removed and replaced with a political message that included the phrase “Freedom For Palestine” alongside an embedded video condemning the Gaza War.

Since then, the campaign has carried out an annual large-scale defacement of various websites on April 7, which coincides with Holocaust Remembrance Day – to date, more than 300 defacers have vandalized over 5,400 domains.

Website defacement at the hands of hacktivists has impacted government agencies, private organizations and other entities.

#OpFrance: Hacktivists respond to Charlie Hebdo attack
Several hacktivist defacement campaigns also came on the heels of the Charlie Hebdo attack in January 2015, revolving around a controversial French magazine that published satirical cartoons about Islam and the prophet Muhammad.

Campaigns including #OpFrance were established in response to the attack, as well as subcampaigns like #OpCharlie, #OpCharlieHebdo and #AntiCharlieHebdo. Most of the activity that took place in connection with these campaigns happened directly after the attack, reaching a peak on Jan. 11, 2015. However, defacements associated with the Charlie Hebdo attack took place all the way through September 2016.

Digital vandalism was supported by an array of hacking groups from Syria, Morocco, Bangladesh, Indonesia and elsewhere, and centered around French websites that appeared to be sympathetic to the magazine. Defacements included pro-Muslim and pro-Islamic messages.

Safeguarding websites from hacktivist defacement

While many defacement events come as responses to specific events, every organization should take the time to ensure that their website is safeguarded against this kind of unauthorized access. Defacement takes a considerable toll, particularly when current and potential customers and partners cannot access the portals, capabilities and information the website typically offers.

Ensure systems are patched. Any known vulnerabilities could be used to breach and attack the website. Virtual patching is imperative, and a solution like Trend Micro’s Deep Security for webserver protection is a beneficial way to manage and maintain patches and updates.

Use strong passwords. Default passwords should be replaced with more robust credentials that include a mix of numbers, letters and special characters and cannot be easily guessed.

Leverage security at the web application level. This includes web app firewalls to monitor activity and guard against traffic that could threaten website performance and usability.

To find out more about protecting your organization’s website – including with advanced solutions like Trend Micro Deep Security and Vulnerability Protection – connect with our security experts today.